I personally, dislike changing IPs of the management servers mid-migration, but this early in the process it may not be detrimental.
You can use secondary NIC on VM with different IP for file transfer and your primary IP on a dead-end network.
Once file(s) are transferred, shutdown VM and remove secondary NIC.
Additionally, while SIC will work, you may still have to reinitialize it, as I have seen the situations when after successful migration, you are getting error messages:
"Issue Description: Moving Management HA to new appliances. Gaia configs replicated, IPs and hostnames are identical. Migrate Import/Export successful. SIC from target primary server to all components of infrastructure tested and confirmed working. After policy package push to the gateway at DR site, receiving error: ^Internal SSL authentication SSL error [Got alert from peer that the certificate expired]^
similar to one described in SK102975."
So the solution ended-up being SIC reset, even though the communication between SMS and the gateays was working fine:
...it appears that you just need to reset the SIC so that the certification gets redone. To do this without reseting the firewall follow the steps in sk86521. I also have included the steps below.
1. On the Security Gateway(S), run these commands:
a. [Expert@HostName]# cp_conf sic init New_Activation_Key norestart
b. [Expert@HostName]# cpwd_admin stop -name CPD -path "$CPDIR/bin/cpd_admin" -command "cpd_admin stop"
c. [Expert@HostName]# cpwd_admin start -name CPD -path "$CPDIR/bin/cpd" -command "cpd"
2. In SmartDashboard:
A. Click on the Security Gateway object.
B. Click on 'Communication'.
C. Click 'Reset' and confirm.
D. Enter the New_Activation_Key (that was used in the 'cp_conf sic init ...' command on Security Gateway).
E. Click on 'Initialize'.
F. Install policy, if needed.
Please Note:
• Make sure you are resetting SIC to the same Management Server IP address. Using this procedure, the firewall still has the last installed policy.
• If the user has a "Stealth Rule" or a "Cleanup Rule", the current policy may only allow for communication between the Gateway and IP address of Management Server.
• If changing the IP address of the Management Server, this traffic will be dropped on the Stealth or Cleanup Rule.